search

greenbone / gsa

Greenbone Security Assistant - The web frontend for the Greenbone Community Edition
GNU Affero General Public License v3.0
215 stars 95 forks source link

Strict MIME type checking is enforced for module scripts per HTML #4178

Closed gafain closed 3 weeks ago

gafain commented 1 month ago

Expected behavior

Actual behavior

I Install openvas on ubuntu 24.04 Because this did not install the web interface I clone this git I run the build without errors I have installed the GSA. The webserver respond with the index.html but did load the javascript and CSS

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-VA8O2hAdooB288EpSTrGLl7z3QikbWU9wwoebO/QaYk='), or a nonce ('nonce-...') is required to enable inline execution.

127.0.0.1/:12 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-+5XkZFazzJo8n0iOP4ti/cLCMUudTf//Mzkb7xNPXIc='), or a nonce ('nonce-...') is required to enable inline execution.

index-D8O4oQLF.js:1 Failed to load module script: Expected a JavaScript module script but the server responded with a MIME type of "text/html". Strict MIME type checking is enforced for module scripts per HTML spec.

On Firefox I have this message Il caricamento del modulo da “https://127.0.0.1:9392/assets/index-D8O4oQLF.js” è stato bloccato a causa del tipo MIME non consentito (“text/html”). Il foglio di stile https://127.0.0.1:9392/assets/index-DTH69syH.css non è stato caricato in quanto il suo tipo MIME, “text/html”, non corrisponde a “text/css”. Content-Security-Policy: Le impostazioni della pagina hanno bloccato l’esecuzione di uno script in linea (script-src-elem) in quanto viola la seguente direttiva: “script-src 'self'” Content-Security-Policy: Le impostazioni della pagina hanno bloccato l’esecuzione di uno script in linea (script-src-elem) in quanto viola la seguente direttiva: “script-src 'self'” Il foglio di stile https://127.0.0.1:9392/assets/index-DTH69syH.css non è stato caricato in quanto il suo tipo MIME, “text/html”, non corrisponde a “text/css”.

Steps to reproduce

1.Install openvas on Ubuntu 24.04 2.Clone gsa repo 3.Build and install on folder created by installer

GVM versions

gsa: (gsad --version) 22.08.0~git

gvm: (gvmd --version) 23.1.0

openvas-scanner: (openvassd --version)

gvm-libs:

Environment

Operating system: Ubuntu 24.04

Installation method / source: (packages, source installation)

Logfiles

gsad main:MESSAGE:2024-10-03 11h32.21 utc:11937: Starting GSAD version 22.08.0~git gsad main:CRITICAL:2024-10-03 11h32.21 utc:11937: main: Could not load private SSL key from /var/lib/gvm/private/CA/serverkey.pem: Failed to open file “/var/lib/gvm/private/CA/serverkey.pem”: No such file or directory gsad main:WARNING:2024-10-03 11h32.21 utc:11942: main: start_http_daemon redirect failed ! gsad main:MESSAGE:2024-10-03 11h33.51 utc:12598: Starting GSAD version 22.08.0~git gsad main:CRITICAL:2024-10-03 11h33.51 utc:12598: main: Could not load private SSL key from /var/lib/gvm/private/CA/serverkey.pem: Failed to open file “/var/lib/gvm/private/CA/serverkey.pem”: No such file or directory gsad main:WARNING:2024-10-03 11h33.51 utc:12600: main: start_http_daemon redirect failed ! gsad main:MESSAGE:2024-10-03 11h35.22 utc:12654: Starting GSAD version 22.08.0~git gsad main:CRITICAL:2024-10-03 11h35.22 utc:12654: main: Could not load private SSL key from /var/lib/gvm/private/CA/serverkey.pem: Failed to open file “/var/lib/gvm/private/CA/serverkey.pem”: No such file or directory gsad main:WARNING:2024-10-03 11h35.22 utc:12656: main: start_http_daemon redirect failed ! gsad main:MESSAGE:2024-10-03 11h36.52 utc:12823: Starting GSAD version 22.08.0~git gsad main:WARNING:2024-10-03 11h36.52 utc:12824: main: start_http_daemon redirect failed ! gsad main:MESSAGE:2024-10-03 12h35.15 utc:21879: Starting GSAD version 22.08.0~git gsad main:WARNING:2024-10-03 12h35.15 utc:21881: main: start_http_daemon redirect failed ! gsad main:MESSAGE:2024-10-03 12h35.36 utc:22087: Starting GSAD version 22.08.0~git gsad main:WARNING:2024-10-03 12h35.36 utc:22089: main: start_http_daemon redirect failed ! gsad main:MESSAGE:2024-10-03 13h25.57 utc:33356: Starting GSAD version 22.08.0~git gsad main:WARNING:2024-10-03 13h25.57 utc:33358: main: start_http_daemon redirect failed ! gsad main:MESSAGE:2024-10-03 13h29.53 utc:2034: Starting GSAD version 22.08.0~git gsad main:WARNING:2024-10-03 13h29.53 utc:2038: main: start_http_daemon redirect failed ! gsad main:MESSAGE:2024-10-03 13h33.26 utc:2025: Starting GSAD version 22.08.0~git gsad main:WARNING:2024-10-03 13h33.26 utc:2032: main: start_http_daemon redirect failed ! gsad main:MESSAGE:2024-10-03 13h46.21 utc:4595: Starting GSAD version 22.08.0~git

cfi-gb commented 1 month ago

Most likely this could be closed directly as "invalid":

When mixing very outdated versions of components like (gsad --version) 22.08.0~git or (gvmd --version) 23.1.0 which both have been released one year ago with most recent versions of another component unexpected behaviors occur / are expected. Especially when mixing package based installation of components from a 3rdparty provider like Ubuntu with a manual installation of another component.

In this special case the outdated version shipped by that 3rdparty Ubuntu provider is not including e.g. greenbone/gsad/pull/171

See https://greenbone.github.io how to get more recent versions of all components and https://forum.greenbone.net/ for installation support.